Post navigation

Ten states, including California, Colorado, Connecticut, Florida, Kansas, Maine, Massachusetts, New York, Oklahoma, and Texas, plus Puerto Rico have laws that prohibit merchants from charging consumers with surcharges on credit card transactions. Minnesota prohibits a seller of goods or services that establishes and is responsible for its own customer credit card from imposing a surcharge on a purchaser who elects to use that credit card in lieu of payment by cash, check, or similar means. The language varies by state- B2B transactions may be excluded. Tread carefully, you may want to consult an attorney. Merchants are not allowed to surcharge debit cards in any state.

The EU banned consumer surcharging effective January 2018.

Surcharge rules are complex and require special technology to automate compliance management. Contact Christine Speedy, CenPOS authorized reseller, 954-942-0483 for assistance. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.

Accountants offer professional advice regarding cash flow, accounts receivable, tax preparation and all sorts of other consulting. Credit card processing and all the compliance it encompasses introduced immense new compliance challenges in 2017, and it’s fair to say, most businesses have no idea what they are, or what the repercussions are. A big problem is people think it’s someone else’s responsibility to keep their business compliant. Every single merchant must make internal changes to comply.

Three things every B2B company needs to know about credit card processing right now:

If you store credit cards, you must be compliant with Visa Stored Credential Framework. This is arguably as huge as the retail shift to EMV chip card acceptance. There are significant financial and risk consequences for non-compliance. Some solutions companies reduce the compliance burden more than others, while maximizing profits and cash flow.

PCI Compliance mandate for TLS disablement will disrupt business, mostly starting right now, February 2018. Businesses need to ensure they’re servers, software (if applicable) and browsers are compliant, and also have an plan to help internal and external customers overcome issues trying to login to portals, make online payments etc.

It’s a Visa rules violation to request the card security code on a paper credit card authorization form, or any digital form where the business can decrypt and view it. It can’t be stored, period. Not by the merchant nor service provider, including payment gateway.

Why these 3 things? Because 100% of B2B companies I talk to will fail on at least one, and usually two or three. That includes CPA firms also. 86% of all data breaches in 2016 were from level 4 merchants, defined as “Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.” By complying with the three items on my list, B2B companies will harden their systems and increase profits. The latter occurs because compliance with rules reduces fees.

Example of solutions to solve these problems:

An intelligent payment gateway can automate compliance with many elements of the Visa Stored Credential Framework. Simply passing data as most payment gateways do is not enough.

Engage internal or external IT team to test all systems for TLS compliance, and verify at SSLlabs.com.

Empower customers to self pay via push (text or email), or pull (online hosted pay page) technology so that employees never have access to cardholder data again. Whatever the old justification for using paper forms with full card data, there is a technology solution that has negated the need.

Compliance with credit card processing rules maximizes profits while mitigating risk. This is especially true for business to business companies. But it’s getting harder and harder with the onslaught of new rules, and virtually impossible if not using a sophisticated cloud solution to help manage compliance.

If your B2B company stores credit cards, there’s a pretty good chance you’re not compliant. For example, Visa’s 2017 Stored Credential Transaction framework outlines merchant responsibilities to obtain customer consent as well as storing credit cards, using stored credentials (token), and managing stored tokens. Failure to comply with Authorization rules, for example preauthorization and final settlement do not match, has far-reaching consequences including higher interchange rates (the bulk of credit card processing fees), penalty fees and new chargeback risks. With so many new rules across multiple card brands that vary based on business and transaction type how can a business quickly ascertain if they’re compliant?

Most processing details occur seamlessly behind the scenes so merchants have not had a simple way of knowing whether they’re compliant. Until now.

Quick tips to validate compliance:

Is a transaction receipt delivered to customer when a stored credit card credential (token) is created? Compliant answer is yes.

Is cardholder authentication with a zero dollar authorization or a purchase transaction performed at the time token is created? (A small charge is not an acceptable practice.) Compliant answer is yes.

Does the receipt include “RECURRING” or “REPEAT SALE” for token transactions? Compliant answer is yes.

Review merchant statements, usually the last 1-2 pages with the heading “pending interchange” or “fees” section. Do you see EIRF, STANDARD (STD), or DATA RATE I? Compliant answer is no.

Can you produce documentation of customer consent to store their card (including with 3rd party service) and how it will be used?

If you’re not in compliance, your payment gateway is the most likely culprit, followed by ERP or other software integration limitation. For a Microsoft Dynamics AX, Dynamics 365, and other ERP integrated solutions, call 954-942-0483 9-5 ET.

Christine Speedy, CenPOS Sales 954-942-0483. CenPOS is a cloud business solutions provider with end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement.

From the Visa Merchant Business News Digest, October 17, 2017.

In the 1 September 2016 edition of the Visa Business News, Visa introduced new rules related to credential-on-file transactions, including merchant disclosure requirements and transaction identifier requirements went into effect for merchants and acquirers on 14 October 2017.

However, based on stakeholder feedback, and after assessing market readiness and taking into account the holiday season system freeze, Visa will extend the time to make the necessary system changes until 30 April 2018.

While the rule is still effective as of 14 October 2017, Visa will not take any compliance action or assess non-compliance assessments to non-compliant entities prior to 30 April 2018. Entities that comply with the rule by 30 April 2018 will not be required to submit a waiver request to Visa.

The stored credential framework applies to all merchants that store credit cards. Note, while some stakeholders were not ready as per the above statements, CenPOS was. CenPOS replaces other payment gateways, for example authorize.net, as well as solutions such as BillTrust, while enabling customers to keep their acquirers and other partners.

To keep your data safe, the Payment Card Industry Security Standards Council (PCI SSC) has mandated a security upgrade impacting all merchants where web browsers can be used in the payment process. Acquirers and payment gateways have set various deadlines in advance of the required PCI TLS v1.2 Security Protocol Upgrade by 2018. Either hardware may need to be replaced or software updated.

Recently, multiple vulnerabilities have been uncovered. Criminals are using the vulnerabilities at massive levels over prior years. Security company Zscaler blocked an average of 8.4 million SSL/TLS-based malicious activities per day in the first half of 2017 for its customers on its Zscaler cloud platform. That’s why all merchants need to upgrade to the most current version of TLS (Version 1.2) and should do so as soon as possible. Because this is an absolute necessity, merchants are getting emails about hard stop dates; if not fixed, merchants will not be able to process transactions after the deadline.

TLS Deadlines vary by acquirer and payment gateway. Dates have been changing due to non-compliance so check with your partners.

First Data varies by solution. Datawire will remove SSL v3, TLS v1.0, and TLS v1.1 on February 15th 2018.

TLS 1.0 and TLS 1.1 need to be disabled from browsers, servers and related applications. SSL 3.0 should have been disabled years ago.

Do not rely on server host companies or consultants to do this for you. It’s up to merchants to maintain PCI Compliance. If you get a notice of non-compliance from your acquirer and use a virtual terminal, test your browser below.

FREE Test SSL/TLS for Browser and Servers and updating TLS for card not present transactions:

Try updating your browser and then run the test again. If the browser is current, go to your web browser settings or preferences and disable SSL and TLS 1.0. Run the same test on your web site. If you get a yes, go to your host administration and disable in security settings.

What is TLS Security Protocol?

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) are both frequently referred to as “SSL”. When you go to a web page and the URL is “https”, the S stands for secure, and the domain host has a security certificate installed and enabled on the web host. Websites use TLS to secure all communications between their servers and web browsers. For example, when a merchant logs into a virtual terminal using a web browser, or a customer makes a payment online via a hosted pay page or ecommerce shopping cart.